Support Questions

Ivoz · ‎05-12-2023

Hello, i'm installing a CDP Private Cloud Base 7.1.7 cluster and i have to enable Auto-TLS feature (Use case 2) as described in the cloudera documentation: https://docs.cloudera.com/cdp-private-cloud-base/7.1.7/security-encrypting-data-in-transit/topics/cm... At the step 5 of the procedure is possibile to use the optional argument --trusted-ca-certs that as described is an optional argument, and if it is given, then ca-certs.pem should point to a PEM-formatted file containing one or more root CA certificates.

About this i have two questions:

1. Do have i to add also the RootCA used to sign the Intermediate CA certificate?

2. In general why should I add more trusted root CAs? Is it necessary for external client connections that use a specific RootCA?

Thanks.

Manish2800 · ‎05-16-2023

Hi @Ivoz

You need to have Cloudera account to access the KB articles. Kindy reach out to Cloudera Sales team if you are looking for one.

Here is the public doc for AutoTLS Use case 3 :

https://docs.cloudera.com/cdp-private-cloud-base/7.1.7/security-encrypting-data-in-transit/topics/cm...

And yes you need to use --trusted-ca-certs option only to add more CA certificates which are used to sign the certificates of external services like LDAPS if you will be connecting CDP services to LDAPS

View solution in original post

Ivoz · ‎05-16-2023

Hi @Manish2800 perfect! Thanks for your support!

View solution in original post

Manish2800 · ‎05-16-2023

Hi @Ivoz.

1. As mentioned on the doc, cm_cert_chain.pem is a combination of the root CA certificate and the CA certificate that is generated by Cloudera Manager.

2. --trusted-ca-certs option is used to add additional CA's which are used to sign the certificates for services which you will be using with CDP cluster. For Example. LDAPS, so in order to authenticate with LDAPS URL, you need to add the CA used to sign the LDAPS certificate in AutoTLS if that is not the same CA used to sign the Cloudera manager's intermediate CA certificate.

Kindly Note:
- In this use case 2, rotation of the Auto-TLS certificate authority is not supported. Cloudera recommends creating an intermediate CA with a long lifetime. The host certificates can be rotated by using the generateHostCerts API.
- You can apply Use Case 2 only to new Cloudera Manager installations that have not had hosts added or clusters created. If you already added hosts or created clusters, then you can implement only Use case 1 and Use case 3.

So, I would highly recommend you to use AutoTLS use case 3. More details on AutoTLS Use case 3 on below document:
https://community.cloudera.com/t5/Customer/What-are-the-files-to-be-created-and-used-when-enabling/t...

Ivoz · ‎05-16-2023

Hi @Manish2800 thank you for your answer, i cannot access to the link:

So regading the --trusted-ca-certs option, i need to use it only if i have to setup tls connection from cloudera clustera to external services. Is it correct?